On Fri, 2002-11-15 at 05:26, Daniel Hartmeier wrote: > On Fri, Nov 15, 2002 at 02:37:28AM -0500, Jason Dixon wrote: > > > Is "pool exhaustion" equatable to "memory exhaustion"? If that's the > > case, that is definitely *not* what I'm experiencing. The box has > > plenty of available memory and CPU. It's busy cranking away with a 5k > > frag limit, when it will simply panic. If you'd like me to provide some > > of the error messages, I'll be happy to. They always refer to some sort > > of packet normalization code (ip_norm?), usually a pointer error. > > No, if you set both fragment and state limits to sane values for your > amount of available RAM (try 65k for both, to be sure) you should never > get a pf related panic. Can you send me some ddb> trace outputs? What > version are you using, can you try to reproduce the panic with -current?
Set both to 65k, works great. The state limit shouldn't have had any affect, as igmp is being blocked quick anyways. Why does *increasing* the frag limit help here? I would assume (I'm an idiot, mind you) that lowering the limit would keep the pool safe. Still running -stable, fwiw. -J.
